Skip to content

Commit

Permalink
Update security.md
Browse files Browse the repository at this point in the history 
- Handbook default protected branches
- Remove table and point to settings so handbook is easier to maintain.
  • Loading branch information
@noahtalerman
noahtalerman authored Oct 25, 2024
1 parent b67127c commit f45cb7a
Showing 1 changed file with 3 additions and 18 deletions.
21 changes: 3 additions & 18 deletions handbook/digital-experience/security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -520,24 +520,9 @@ located in too many places and not security-related.
#### Branch protection
Branch protection is one of the most important settings to configure and the main reason we should not have members with administrative privileges on the repositories.

Located in the Branches section of repository settings, we create a rule for **main** that applies:

| Setting | Value | Note |
| ---------------------------------------------------------------- | ----- | --------------------------------------------------------------------------------------------------------------------- |
| Require a pull request before merging || We enforce code reviews, which require PRs. |
| Require approvals | 1️⃣ | We require approval from one person in the team. |
| Dismiss stale pull request approvals when new commits are pushed || Without this, someone could get approval for a small, very nice PR and change everything about it! |
| Require review from Code Owners | 🗓 | We are working towards enabling this as our team grows and allows for more flexibility |
| Restrict who can dismiss pull request reviews | 🚫 | As we are a team working in multiple timezones, we want to allow dismissing reviews and getting another one. |
| Allow specified actors to bypass required pull requests | 🚫 | We do not want anyone pushing directly to main. |
| Require status checks to pass before merging || Because of our [monorepo](https://en.wikipedia.org/wiki/Monorepo#:~:text=In%20version%20control%20systems%2C%20a,as%20a%20'shared%20codebase'.), it is hard to pick many checks that work for all types of PRs, but we still enable this. |
| Require conversation resolution before merging | 🚫 | Reviewers should not approve a pull request if they do not think it's ready for merging. |
| Require signed commits | 🗓 | We are working towards enabling this, manually keeping track of unverified commits. |
| Require linear history | 🚫 | We do not currently use or enforce practices to generate a linear history. |
| Include administrators || We want these rules to apply to *everyone*. |
| Restrict who can push to matching branches | 🚫 | Anyone in our organization should be able to merge PRs that get reviewed, and nobody should be able to push directly. |
| Allow force pushes | 🚫 | We do not need this, so we do not allow it. |
| Allow deletions | 🚫 | We do not want ANYONE to be able to delete the *main* branch. |
By default, Fleet protects branches with these names: `main`, `patch[_-*]`, `feature[_-*]`, `minor[_-*]`, `rc-minor[_-*]`, `rc-patch[_-*]`, and `fleet-v*`.

To see the rules for protected branches, go tothe Branches section of repository settings.

### Scanning tools
Though not technically a part of GitHub itself, we feel like the security tools we use to scan our code, workflows, and GitHub configuration are part of our overall GitHub configuration.
Expand Down

0 comments on commit f45cb7a

Please sign in to comment.